The subject invention relates to a shielding to prevent attacks on a network architecture, and in particular, to a self-shielding system to prevent attacks on a network or reduce their impact and spreading within the network while still providing user's access to the services.
To penetrate and dominate networks, hackers initially obtain a foothold on a single machine in the network either by addressing a vulnerability on the Operating System (“OS”) or by social engineering. This process is difficult to avoid, because of the vast number of targets of opportunity.
Once hackers are able to execute code in one machine, the hacker attempts to escalate rights, which is finding a way to execute with higher privileges than the original break through, which normally is a low privilege entry. Once they are able to execute at higher privilege, the attacker attempts to scout the machine for accounts that would provide such privileges without hacking through OS vulnerabilities, since these vectors can be closed at any moment. With the knowledge of valid accounts, possibly with administrator rights, hackers place a “sniffer” in the network to observe and scout for the next target. A sniffer is a piece of code that “listens” to all packets and stores statistics about the traffic it observes.
Based on the data obtained, the hacker can now determine which hosts in the network are likely targets to spread the infection. The decision is often to find servers that may have interesting information (credit cards or proprietary info) or to hosts that have access to these servers. Once a new target is known, the hacker can find ways to take control of the valued target without calling much attention to itself. Without the ability to understand the network, hackers are limited to spread around blindly, which make them easy targets for security systems and protocols.
The static nature of computer networks allows attackers to gather intelligence, perform planning, and then execute attacks at will. Further, once an attacker has gained access to a host within an enclave, there is little to stop a determined attacker from mapping out and spreading to other hosts and services within the enclave.
Various types of malicious behaviors are difficult, if not impossible, to prevent using static networks and detection-based techniques. Malicious behaviors typically require careful analysis to weed out from legitimate behaviors, making the gradual collection of information about a static network feasible.
Although an enclave typically has a heavily secured perimeter firewall that performs various scanning tasks to protect the network from outside attackers, in practice such a firewall can and will be avoided by attackers. With the shift in the motivation of attackers away from notoriety and curiosity towards financial gain and state-sponsored espionage, a specific “zero-day” vulnerability or virus can be reserved specifically for use in a given attack. It is therefore not prudent to rely solely on the hope that a firewall processing millions of packets every minute can perform the analysis needed to meaningfully detect malware that exploits a previously unknown vulnerability. Even if this were the case, a user with direct access to a host in the enclave can be deceived into directly infecting that host, completely bypassing any perimeter-based detection.
Once an attacker breaches the enclave, spreading further within the enclave is significantly easier than gaining the initial foothold. The entire enclave can thus be potentially exposed via software vulnerability or an ill-informed act by a user. When an attacker compromises a single host, one should assume that the malicious software has compromised the host's OS and so can monitor all information sent to and from that host and the network. The compromised host can then easily learn the IP addresses of important hosts, record all usernames and passwords observed, misuse the user's smartcard-based credentials, hijack connections, etc.
As a result of these issues, there is disappointingly little to effectively stop an attack from spreading once inside the enclave. Further, there is always a risk that a determined attacker may use a combination of stolen credentials, knowledge of the detection system's alarm thresholds, and patience to avoid any detection-based technology intended to prevent or identify attacks. In fact, if such detection systems are known to be present, this is the logical course for the attacker to take. A network therefore requires methods to reduce the effectiveness of malicious behaviors in all aspects of an attack including network mapping, attack planning, automated attacks, command and control, long-term advanced persistent threats, etc.
The fact that hackers have an unlimited time frame to study the networks that they are attacking, is called the asymmetry of a network attack. An object of the invention is to deny this asymmetry. By fundamentally changing the nature of the network to make the network dynamic, many classes of attacks can be prevented, or their impacts and spread can be reduced and limited. To secure the enclave in the presence of these attack vectors, an object of the invention is to manage the competing goals of simultaneously securing the host's operating system from the network while providing the user access to needed services.